Security Vulnerability in Android allows any app to make phone calls

An application normally needs permission and should alert user that it needs permission to make phone call, when it is being installed.

Researchers at Security firm CureSec has discovered a security flaw in the Android system that allows malicious applications to initiate unauthorized phone calls.

By exploiting this vulnerability, malicious apps can make phone calls to premium-rated numbers and terminate any outgoing calls. It is also capable of sending Unstructured Supplementary Service Data (USSD) codes that can be used for enabling call forwarding, blocking your sim cards and so on.

The security bug appears to be introduced in Android Jelly bean 4.1.1 and it exits in all latest versions through Android Kitkat 4.4.2.

CureSec has also released a source code and proof-of-concept application to demonstrate the existence of vulnerability.